Once the server configuration for your site is set up, it's time to take some basic security measures.
In a previous tutorial we have configured a site to run on a DigitalOcean server with Gunicorn, Nginx and Supervisor. We are now going to switch on the firewall, set up encrypted access (https) to the site and secure access to the server with ssh keys.
DigitalOcean has a good tutorial with instructions how to set up UFW (Uncomplicated FireWall). Log in as root user (or use sudo with each command). First we make sure that the firewall will allow us to connect with ssh, and then we enable ufw:
ufw allow OpenSSH
ufw enableWe can check which services are allowed with:
ufw statusAll services are now blocked except for ssh. If you need to allow access to port 8000 for development, type:
ufw allow 8000In production we don't need port 8000 anymore, so we can block it again with:
ufw delete allow 8000We want to open the firewall for Nginx as well. To show which applications ufw recognizes, type:
ufw app listThe list should contain, Nginx HTTP (for access via port 80), Nginx HTTPS (via port 443) and Nginx Full (via both ports). Enable both HTTP and HTTPS:
ufw allow 'Nginx Full'Again there is a good tutorial on DigitalOcean on how to use the program Certbot to integrate free TLS/SSL certificates from Let's Encrypt to your Nginx configuration. We'll not repeat the detailed instructions; install Certbot and its Nginx package:
sudo apt install certbot python3-certbot-nginxRun the Certbot package with:
sudo certbot --nginx -d pythoneatstail.com -d www.pythoneatstail.comIf this is the first time you run Certbot, you'll have to supply an email address (see the tutorial). Then Certbot asks you if it should redirect all HTTP traffic to HTTPS; choose 2 to agree to this. You can then have a look at those changes in the configuration file /etc/nginx/sites-available/pet.
Depending on the version of the Certbot package on your operating system, Let's Encrypt might gives your site a grade B instead of the highest grade, because the less secure protocols TLS 1.0/1.1 are still enabled. That's because Certbot overrides the parameter ssl_protocols in the configuration file nginx.conf.
Your site should now be available at https://www.pythoneatstail.com (use your own domain name).
In a previous tutorial we have created a user with password access to the server. By default also the root user needs a password. By generating an RSA key pair and saving the public key on the server, we can allow users access from the local computer without a password. Generate a key pair by typing the following command in your terminal on your local computer:
ssh-keygenIf you want additional security you can add a passphrase when asked to. The default location is a .ssh hidden subdirectory of the local user's home directory. There are two files: id_rsa for the secret key and id_rsa.pub for the public key. Print the contents of id_rsa.pub to your terminal with:
cat .ssh/id_rsa.puband copy the whole string to the clipboard. Connect to the server with ssh and (once more) password, and in the home directory of the user you want to give ssh access (e.g. /root for the root user, /home/usr_pet for usr_pet) create a hidden directory .ssh and a file authorized_keys in there:
mkdir .ssh
touch .ssh/authorized_keysEnter the file with your editor and paste the contents of the clipboard in it. The user should now be able to log in without password. If you want, you can disable password login by setting the PasswordAuthentication directive in the file /etc/ssh/sshd_config. Edit the file so that it says:
PasswordAuthentication noRestart the ssh service with:
service ssh restartNow you should only be able to access the server directly with ssh.
Even a more secure site can break down and data can get lost. Read on to learn how to backup and restore your data.
Comment on this article (sign in first or confirm by name and email below)